nanog mailing list archives

Re: UDP DoS mitigation?

From: "Rick Ernst" <ernst () easystreet com>
Date: Fri, 12 Dec 2008 12:47:36 -0800 (PST)


Replying to my own since there are currently about a dozen responses.

- Hardware/ASIC routers are a consistent response.  We are currently
  evaluating Juniper for other reasons, but I'll add DoS mitigation to
  mix.
- Upstream involvement: We get transit from 701, 1239, etc.  I've had
  mixed results getting timely responses from our upstreams.  It's useful
  for long-term issues, but I need as much local and timely  control as I
  can get.
- I'm not having a problem with pipe bandwidth, but high pps.
- uRPF and RTBH helped internally, but anything passing through that
  upstream connection was impacted.
- This instance was a DoS, not DDoS.  Single source and destination, but
  the source (assuming no spoofing) was in Italy.  Turning off netflow
  seemed to help, but the attack itself stopped at about the same time.

Also, thanks for the offers of individual help in mitigation, although I'd
be concerned that "Hey, can somebody block traffic {from} or {to}?" would
be an interesting experiment in a socially-engineered DoS.

Finally, there were some suggestions "S/RTBH".  RTBH I get, but my
Google-fu is weak on S/RTBH.  Details?


Thanks,
Rick

On Fri, December 12, 2008 10:15, Rick Ernst wrote:


We've had an increasing rate of DoS attacks that spew tens-of-thousands of
small UDP packets to a destination on our network.  We are getting roughly
2x our entire normal pps across all providers through one interface, or
about 4x normal through the individual interface.  The Cisco
7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak) when
this hits.

I'm using CEF and ip-route-cache flow on the outside interface.  Unicast
RPF is also enabled on the interface.  Unicast RPF in conjunction with a
BGP black-hole generator handles TCP attacks fairly well.

Two questions:
- Are there any knobs I should be turning in the Cisco config to help with
mitigate this?
- Are there any platforms that deal with high PPS/small packet more
gracefully?

We are looking at a network refresh and aren't locked into Cisco as a
vendor (although our current IP network consists entirely of Cisco gear).
Our current aggregate (all providers, in- plus out-bound) bandwidth is
~500Mbs, but projected growth is 1Gbs within the year.

Thanks,
Rick

Current thread:

UDP DoS mitigation? Rick Ernst (Dec 12)
- Re: UDP DoS mitigation? Roland Dobbins (Dec 12)
- RE: UDP DoS mitigation? David Kotlerewsky (Dec 12)
  - Re: UDP DoS mitigation? Roland Dobbins (Dec 12)
- RE: UDP DoS mitigation? Matthew Huff (Dec 12)
- Re: UDP DoS mitigation? Rick Ernst (Dec 12)
  - RE: UDP DoS mitigation? Ian Henderson (Dec 13)
- Re: UDP DoS mitigation? Florian Weimer (Dec 14)